For many years I have been using Webmin as means of quickly administrating the three servers I am responsible for. How ever when I was recently asked to setup a number of BIND9 DNS servers in a Master/Slave configuration I set about doing this manually as none of the servers in question had any form of web interface. This is how I setup three DNS servers to work in unison, one master and two slaves.
In my research I came across a large number of HOWTOs documents on the subject, however the majority of them seemed to make the process overly complicated adding confusing and, in some cases, misleading steps. This could be a legacy left over from previous HOWTOs targeted at previous BIND version where the process was not as easy as it has been made in the latest BIND9 incarnations.
You will need access named.conf on all the machines in question as we need to make changes to both the master and slave machines. You should only have on master server how ever the process I describe for the slave server can be repeated on any number of machines. I am also assume you have a fully working servers with otherwise default configurations.
The first thing you need to do is create a DNS key putting it in a secure file you can latter include into your bind configuration.
sudo ddns-confgen > /etc/named-transfer-key.conf
Now edit the new key file (/etc/named-transfer-key.conf) so it looks a little cleaner and we have give the key a name that means something to us:
key "ddns_transfer_key" {
algorithm hmac-sha256;
secret "YSvwULhQMYnZGnMb0k6eFrHIhdKD6py1uEETiWa//V0=";
};
For the record, and so there is no confusion, the key above is one I generated for this HOWTO. It is not used in production in any system I administer and I highly recommend that no-one else try to use the one I have provided instead of generating their own.
We now need to set the permissions on this file to enhance the protection to our systems:
sudo chown bind:bind /etc/named-transfer-key.conf
sudo chmod 600 /etc/named-transfer-key.conf
Note the permission 600 prevents anyone other than the files owner to read the contents, in my case 'bind' however you should make sure to set this to what ever user your bind server runs under. I found this by running this command:
# sudo ps -Af | grep named
bind 21910 1 0 Apr20 ? 00:00:13 /usr/sbin/named -u bind
Note the to the far left is the name of the user running the command in question, again in my case bind. However you might be running bind as a different user e.g. named
Now that you have create the required key you need to include it in the BIND9 configuration file of all your servers, master and slave alike. You can do this in to ways, ether open the /etc/bind/named.conf file on each system and copy and paste the contents of your /etc/named-transfer-key.conf file or include that file using the the line:
include "/etc/named-transfer-key.conf";
This method will require you to copy the key file to each of your slave servers ensuring it is in the same place and has the same ownership and permissions as that of the file on the master server.
You now need to define each server in the /etc/bind/named.conf file on all the others by adding the following beneath the line on which you defined the dns-key:
server 123.123.123.123 {
keys { ddns_transfer_key;
};
};
The IP address above should be that of the other server in the Master/Slave configuration. If you are on the Master list all the slaves, if you are on the Slave list the master and all other slaves. Be sure to use the IP address of each machines DNS server, not the host names.
These lines simple tell bind which encryption keys to use when communicating with each server.
You now need to tell your Slave servers about your new domain name, and let them know where to go looking for updates (who the master server is). We do this by editing the /etc/bind/named.conf.local file and adding a new zone, much like we did before with the master zone:
zone "example.com" IN {
type slave;
masters {
123.123.123.123; // The IP of the master server
};
file "/var/lib/bind/example.com.slave.zone";
};
I will assume you already know how to create new zone on you master server or that you already have a zone configured which you wish now to slave else where. There is no special configuration or settings required for your master zone so there is little point in going over it here.
Assuming you have a zone configured already it might look something like this one bellow:
zone "example.com" {
type master;
file "/var/lib/bind/example.com.zone";
allow-transfer {
127.0.0.1;
localnets;
};
};
You might want to consider adding a few extra parameters to the zone definition that will allow for some zone transfers and also get the master dns server to notify all slave server about updates, however these extra settings are not required:
zone "example.com" {
type master;
file "/var/lib/bind/example.com.zone";
allow-transfer {
127.0.0.1;
localnets;
123.123.123.1; // The IP of the slave server
123.123.123.2; // The IP of the slave server
123.123.123.3; // The IP of the slave server
123.123.123.4; // The IP of the slave server
};
also-notify {
123.123.123.1; // The IP of the slave server
123.123.123.2; // The IP of the slave server
123.123.123.3; // The IP of the slave server
123.123.123.4; // The IP of the slave server
};
};
Thats really you finished. You have now setup a Master/Slave relationship between your BIND9 servers
No Comments Yet